ISP abuse notice

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
miken2av
New Member
Posts: 20
Joined: Wed Jul 20, 2011 9:30 am
Location: Birmingham, AL USA
Contact:

ISP abuse notice

Postby miken2av » Fri Jan 20, 2017 10:13 pm

The ISP for our stake center has sent me an email. I checked the headers and it seems legit though I haven't called them and I haven't called LDS Global Help desk. the message:

"Issue Description – A device on your network is capable of a network-impacting, distributed denial-of-service (DDoS) attack due to a flaw in the Network Time Protocol (NTP) on the device. Various commands in older versions of NTP can be easily exploited for malicious intent. "

it goes on to list the evidence:
Issue Description: NTP (Port 123) Vulnerability
Vulnerable Port: 123
Vulnerable IP Address:
Timestamp: 2017-01-15 04:06:33 GMT

It includes the IP address of our connection to our ISP that I verified. we do have a static address.

The email gives instructions on updating NTP protocol on our server. We aren't running any servers. Just windows 7 and 10 workstations.

I wouldn't think that the ISP could even see anything on our network with the Church Cisco Firewall in place. Could it be the firewall?

Another strange thing is the email sent to me was copied to a person (@xilec.com) at a company located in draper UT (I am in Alabama)

any ideas? seems like the higher tiers of support from the church are usually only available m-f 9 to 5 so may just wait to call until Monday.

Thanks
Michael STS

russellhltn
Community Administrator
Posts: 22027
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: ISP abuse notice

Postby russellhltn » Fri Jan 20, 2017 10:56 pm

Try this: While on your church network, navigate to grc.com. Click on "ShieldsUp!" on the first two screens. Then "Proceed". Type in "123" and click "User Specified Custom Port Probe". I'd expect you to get "stealth".
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

miken2av
New Member
Posts: 20
Joined: Wed Jul 20, 2011 9:30 am
Location: Birmingham, AL USA
Contact:

Re: ISP abuse notice

Postby miken2av » Fri Jan 20, 2017 11:08 pm

I did get Stealth as the result.

Also found out that xilec is a company that handles some billing for the church so they are on the account.

russellhltn
Community Administrator
Posts: 22027
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: ISP abuse notice

Postby russellhltn » Fri Jan 20, 2017 11:24 pm

Wild speculation: might be what the ISP has noticed is that something on the network is using a old NTP protocol. It's not reachable from the outside, but if someone were to attack from within, then it could flood the internet. A quick Google shows a couple of people have received notices from Zen Internet.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

miken2av
New Member
Posts: 20
Joined: Wed Jul 20, 2011 9:30 am
Location: Birmingham, AL USA
Contact:

Re: ISP abuse notice

Postby miken2av » Sat Jan 21, 2017 6:08 am

In talking to our Facilities Manager they have gotten several of the notices a;; from the same ISP. Charter / Spectrum. The other issue here is the "threat" they give if it isn't resolved:

"Please be advised that Spectrum’s Acceptable Use Policy (AUP) explicitly prohibit actions, whether intentional or unintentional, that disrupt Charter’s network. These policies are available on https://www.charter.net/page/terms-of-service-policies/ for your convenience.

Repeated events and/or complaints pertaining to this network abuse issue may result in an interruption of your service. "

russellhltn
Community Administrator
Posts: 22027
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: ISP abuse notice

Postby russellhltn » Sat Jan 21, 2017 12:09 pm

miken2av wrote:In talking to our Facilities Manager they have gotten several of the notices

Which makes me wonder - what devices does FM have connected to the network? They may be what's triggering the notice. Things like thermostats, sprinker timers, etcetera will likely make time requests and are notorious for not getting software updates. These things may pre-date the phrase "Internet of Things" (IoT), but that's what they are.

I can't rule out something on the router, but it would be something of a major cringe for the church's networking department to let them get that far out of date. However, when it comes to FM's devices ....

Note that insecure IoT devices are now a major concern to ISPs and the biggest threat to the Internet itself. 10 things to know about the October 21 IoT DDoS attacks. Unfortunately, many users and companies don't see a problem with their unsecure devices because "hey, it works".
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

rknelson
Member
Posts: 88
Joined: Tue May 01, 2007 2:13 pm
Location: Oregon

Re: ISP abuse notice

Postby rknelson » Sun Jun 11, 2017 5:28 pm

miken2av wrote:Another strange thing is the email sent to me was copied to a person (@xilec.com) at a company located in draper UT (I am in Alabama)


Xilec is a contractor the church uses to pay ISP's. Supposedly they monitor the bills and look for better deals. In fact, I don't think they do anything except pay the bills. If you check the address you will find it is a residential address.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 2 guests